See belos ...
On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com>
wrote:
No, if you read my book you would see the scheme I am proposing.
The problem with current MAC addresses is that they are not
trustworthy. That is accepted. If MAC addresses were not trivially
forged then the existing WiFi scheme would work fine.
...
Instead every device would have been issued with a device cert to bind
the MAC address to a public key during manufacture. This is already a
requirement for cable modems. The cost is of the order of cents per
device if the certs are installed during manufacture. Maintenance
costs get much higher as soon as the device has left the factory.
I don't see any need for the MAC address to be bound. If the device
has a build in cert, you can use that, regardless of what the MAC
address is, to authenticate and secure communications.
Isn't this provided by 802.1AR-2009? ( Available from
http://standards.ieee.org/getieee802/802.1.html )
The function of the certificate is to stop the MAC address being
trivially forged. OK yes, if you design the protocols wrong then you
can end up with Cisco being able to intercept on the wire traffic. But
if you do the job right you can prevent interception even if the
manufacturer defects.
...
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf